Method for realizing network electronic identity identification information protection based on key dispersion calculation

ABSTRACT

A method is provided that protects electronic Identity information based on key derived operation. The method includes using an electronic Identity server to send an application derived identifier of the application and user electronic Identity code to a host security module that randomly generates an application master key, encrypts the application derived identifier with the application master key, and gets an application encryption key. The host security module encrypts the user electronic Identity code with the application encryption key, and gets an encryption document. The electronic Identity server codes the encryption document and an application identity code, and gets an application electronic Identity code. The electronic Identity server uses the application electronic Identity code as the user identifier.

RELATED APPLICATIONS

This application claims priority benefit of U.S. Utility applicationSer. No. 15/531,822 filed on Nov. 7, 2017, that is a US National Phaseof PCT application Serial Number PCT/CN2014/096009 filed Dec. 31, 2014that in turn claims priority benefit of CN 201410719446.X filed Dec. 1,2014; the contents of which are hereby incorporated by reference.

FIELD OF TECHNOLOGY

The invention relates to the cross technical fields of electronicIdentity management and information safety, specifically to a method toprotect electronic Identity information based on key derived operation.

DESCRIPTION OF RELATED ARTS

Substantial changes have happened in people's lives and working methodsin the network age, and personal material and spiritual benefits can beboth reflected in the information network. Since 2011, the internetsecret-spilling incident detonated the whole information safetycommunity; leading to the traditional user+password way cannot meet theexisting safety needs anymore. The secret-spilling data includes:tianya: 31,758,468 items, CSDN: 6,428,559 items, microblog: 4,442,915items, renren: 4,445,047 items, maopu: 2,644,726 items, 178: 9,072,819items, duduniu: 13,891,418 items, 7K7K: 18,282,404 items, Adobe: 1.5hundred million, Cupid Media: 42000 thousand, QQ database: more than 6hundred million, Forbes: 1000 thousand, close to 900 million, and so on.The internet changes with each passing day, and all kinds ofapplications emerge in endlessly, and users usually have same registeredhabit, that is, using same username and password for accounts ondifferent websites. So the user's information in one website spills, itmay be spilled indirectly in other applications in the internet, and itwill easily forms butterfly effect of secret-spilling, that is theprivate date of the users' name, ID card No., address, credit card No.,address list, messages, photos, GPS location information and so on ofthe associated accounts are copied, exposed, sold and bought, then theusers will suffer the problems of advertising promotion, spam bombing,telephone harassment, malignancy cheat, blackmail and so on.

Therefore, “Decision related to enhancing the protection of informationof the network”, shows that electronic Identity management has becomethe current focus issue concerned by all across the country. Carryingout electronic Identity management, in terms of the whole social publicarea, can prevent effectively from the phenomenon of inundate of falseinformation, bad information caused by abuse of Internet virtuality; interms of people's livelihood service, can provide social public service,and provide convenience for citizens; in terms of commercial service,can solve the problem of network transaction integrity, which is anurgent demand for the harmonious development of our society. Enteringbig data age, realizing electronic Identity management not only needs toidentify and verify the authenticity and effectiveness of citizens'network identity, but also needs to prevent several applications fromrevealing personal private information caused by active (commercial dataexchange) or passive (information be dragged out of a database) accountinformation converge and data analysis, then direct or indirect damagewill be caused by this.

Existing account management system self-built by each rely party (thatis provider of network application service) has serious defect in termsof personal electronic Identity identify veracity and identityinformation protection, the big scale information revealing as above iscaused and serious damage has caused for the rely party itself and itsusers.

The proposal “relevance comparison” widely used at present, during theprocess of completing identity information verify, causes the revealingof personal identity information easily, and it will cause a wholerevealing of all personal network behavior in big data environment,which will cause the damage more serious.

The electronic Identity (eID for short) is an authority electronicinformation document proving personal identity remotely on the network,signed and issued uniformly by “Ministry of Public Security citizenelectronic Identity identify system”, which is based on cryptographicalgorithm, carried by secure chips, and used to prove the identityremotely on the network for the citizens, its coding has protected truepersonal identity information in design. But under the accountinformation converge and data analysis condition if all facing rely partuses only code, personal identity information is still easily to berevealed. So, a method of generating electronic Identity code of facingrely part needs to be designed to solve the problems of electronicIdentity management and personal privacy protection under big dataenvironment safely and effectively.

SUMMARY OF THE INVENTION

The present invention aims to overcome the above drawbacks of the priorarts, and provide a method to protect electronic Identity informationbased on key derived operation, which can exactly identify and verifythe authenticity and effectiveness, and to prevent the personal privateinformation from revealing resulted from active or passive accountinformation gathering and data analysis, and solve the problem ofelectronic Identity management and personal private protection under thebig data environment safely and effectively.

To achieve the above-mentioned objectives, the method to protectelectronic Identity information based on key derived operation has thefollowing composition:

The method to protect electronic Identity information based on keyderived operation, has the following characteristics, the method isbased on electronic Identity serve system, the system includes clients,a host security module and an electronic Identity server, the methodcomprises the following steps:

(1) The electronic Identity server sends the application derivedidentifier of the application and user electronic Identity code to thehost security module;

(2) The host security module generates randomly an application masterkey, encrypts the application derived identifier with the applicationmaster key, and gets an application encryption key;

(3) The host security module encrypts the user electronic Identity codewith the application encryption key, and gets an encryption document;

(4) The host security module sends the encryption document to theelectronic Identity server;

(5) The electronic Identity server codes the encryption document and anapplication identity code, and gets an application electronic Identitycode;

(6) The electronic Identity server uses the application electronicIdentity code as the user identifier.

Further, before the step (1), the method further comprises the followingstep:

(0) the host security module generates an application master key matrixincluding several application master keys.

Furthermore, the host security module generating randomly an applicationmaster key, is specifically:

The host security module selects an application master key randomly fromthe application master key matrix.

Furthermore, the application master key matrix is a matrix of 16×16.

Further, the encrypting the application derived identifier with theapplication master key, is specifically:

The host security module encrypts the most significant byte of theapplication derived identifier with the application master key and getsthe most significant byte of the application encryption key, and thehost security module encrypts the least significant byte of theapplication derived identifier with the application master key and getsthe least significant byte of the application encryption key.

Furthermore, the encrypting the application derived identifier with theapplication master key, is specifically:

The host security module encrypts the application derived identifierwith the application master key using symmetric encryption algorithm.

Furthermore, the symmetric encryption algorithm is 3DES encryptionalgorithm, SM1 encryption algorithm or SM4 encryption algorithm.

Furthermore, the host security module encrypts the user electronicIdentity code with the application encryption key, is specifically:

The host security module encrypts the user electronic Identity code withthe application encryption key using symmetric encryption algorithm.

Furthermore, the symmetric encryption algorithm is 3DES encryptionalgorithm, SM1 encryption algorithm or SM4 encryption algorithm.

Further, the electronic Identity server codes the encryption documentand an application identity code, is specifically:

The electronic Identity server splices the encryption document and anapplication identity code, and process Base64 coding after theencryption document and the application identity code are spliced.

Further, before the step (1), the method further comprises the followingstep:

(a) The electronic Identity server distributes an application identitycode and an application derived identifier to each registeredapplication, and save the application identity code and the applicationderived identifier to the database.

Further, the application derived identifier is a binary identifier of 16bytes, and the application identity code is an identifier of 48 bytes.

The method to protect electronic Identity information based on keyderived operation faces rely part (that is provider of networkapplication service), it not only can identify and verify accurately theauthenticity and effectiveness of citizens electronic Identity, but alsocan prevent several applications from revealing personal privateinformation caused by active (commercial data exchange) or passive(information be dragged out of a database) account information convergeand data analysis, solve the problems of electronic Identity managementand personal privacy protection under big data environment safely andeffectively. It has the following positive benefits:

1. The application electronic Identity code has anonymity; it will notreveal the electronic Identity code and any other personal identityinformation. After being encryption protected with cryptographicalgorithm (3DES/ SM1/ SM4), users' true identity related information ishided.

2. The application electronic Identity coder has uniqueness, users havedifferent codes on each application, and all users have different codesin each application;

3. The application electronic Identity can resist cryptanalysis, therelated plain text cannot be gotten through cryptanalysis. Also, eachapplication's application electronic Identity generates a key byseparating a master key selected randomly from master key matrix, whichis not the same with each other, each one master key is revealed, andthe damage caused can be controlled in a smaller scope.

4. The application electronic coder cannot be connected. As the usershave different codes on each application, even under the condition ofaccount information coverage and data analysis, the cross-applicationconfirmation of users identity cannot be realized neither.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is the flow diagram of the method to protect electronic Identityinformation based on key derived operation of the invention.

FIG. 2 is the flow diagram of generating application electronic Identitycode of one embodiment of the invention.

FIG. 3 is the flow diagram of generating encryption cipher of oneembodiment of the invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

In order to describe the technical content of the present invention moreclearly, now describe it further combining specific embodiments.

As shown in FIG. 1, in one embodiment, the method to protect electronicIdentity information based on key derived operation, has the followingcharacteristics, the method is based on electronic Identity servesystem, the system includes clients, a host security module and anelectronic Identity server, the method comprises the following steps:

(1) The electronic Identity server sends the application derivedidentifier of the application and user electronic Identity code to thehost security module;

(2) The host security module generates randomly an application masterkey, encrypts the application derived identifier with the applicationmaster key, and gets an application encryption key;

(3) The host security module encrypts the user electronic Identity codewith the application encryption key, and gets an encryption document;

(4) The host security module sends the encryption document to theelectronic Identity server;

(5) The electronic Identity server codes the encryption document and anapplication identity code, and gets an application electronic Identitycode;

(6) The electronic Identity server uses the application electronicIdentity code as the user identifier.

Wherein, the application derived identifier is a binary identifier of 16bytes, the encryption document is a document of 32 bytes, and theapplication identity code is an identifier of 48 bytes.

In a preferable embodiment, before the step (1), it further comprisesthe following step:

(0) The host security module generates an application master key matrixincluding several application master keys, wherein, the applicationmaster key matrix is a matrix of 16×16.

In a more preferable embodiment, the host security module generatingrandomly an application master key, is specifically:

The host security module selects an application master key randomly fromthe application master key matrix.

In a preferable embodiment, the encrypting the application derivedidentifier with the application master key, is specifically:

The host security module encrypts the most significant byte of theapplication derived identifier with the application master key and getsthe most significant byte of the application encryption key, and thehost security module encrypts the least significant byte of theapplication derived identifier with the application master key and getsthe least significant byte of the application encryption key.

In a more preferable embodiment, the encrypting the application derivedidentifier with the application master key, is specifically:

The host security module encrypts the application derived identifierwith the application master key using symmetric encryption algorithm,wherein, the symmetric encryption algorithm is 3DES encryptionalgorithm, SM1 encryption algorithm or SM4 encryption algorithm.

In a preferable embodiment, the host security module encrypts the userelectronic Identity code with the application encryption key, isspecifically:

In a more preferable embodiment, the host security module encrypts theuser electronic Identity code with the application encryption key usingsymmetric encryption algorithm, wherein, the symmetric encryptionalgorithm is 3DES encryption algorithm, SM1 encryption algorithm or SM4encryption algorithm.

In a preferable embodiment, the electronic Identity server codes theencryption document and an application identity code, is specifically:

The electronic Identity server splices the encryption document and anapplication identity code, and process Base64 coding after theencryption document and the application identity code are spliced.

In a preferable embodiment, before the step (1), the method furthercomprises the following step:

(a) The electronic Identity server distributes an application identitycode and an application derived identifier to each registeredapplication, and save the application identity code and the applicationderived identifier to the database.

The invention can be used widely in the application carried by eID inthe areas of e-government affairs, electronic commerce, e-bank, onlinepayment and so on, and can realize the safety protection of personalprivacy combined with different application keys. Wherein, differentapplication keys are gotten by derived operation according to encryptionalgorithm. Derive multilevel and step by step from seed data,application master key, zone sub key, card derived key and so on. Theobject of key dispersion is to make sure that even one sub key isrevealed, it won't threat to the safety management of master key, forthe master key cannot be deduced from sub key and derived data, thesafety of system is enhanced, the safety risk and management cost islowed, the following are the related concepts of key derived operation:

1) Master key: the key of upper level management center is called masterkey;

2) Sub key: key derived operated from the master key;

3) Key derived process: the operation process of generating sub keysfrom master key;

4) Derived data: calculating data used for key dispersion.

Beside, the entities and related key definitions are as follows:

eID service system: a background system providing eID related service.It mainly realizes the whole life cycle business process of eID such asgeneration, storage, using, maintenance, and so on.

rely part: an entity providing network application service rely on eIDservice system.

eID code: the only identification code generated for each eID useraccording to related algorithm, the length is 48 bytes, it is recordedas eID_code. But before being encoded with Base64, the users' eID_code(user electronic identity code) has 32 bytes effective fields, it isrecorded as eID_code₃₂.

application eID code (application electronic identity code): anelectronic identity code used to mark the user in rely part generatedaccording to user's eID_code, one eID_user has different identity codesin different applications, it's length is 48 bytes, it is recorded asApp_eIDCode.

application identity coder: a 4 bytes binary code assigned for a thirdparty application by the eID service system, used to mark the thirdparty application, recorded as App_ID.

application derived identifier: a 16 bytes binary code assigned for athird party application by the eID service system, stored in thedatabase of eID service platform, used as key derived factor, recordedas App_code.

application master matrix: the application master key is used togenerate application encryption key, it is generated, protected andstored by the host security module, the application master matrixconsists a group of application master key, it is generally a 16×16matrix. The master's position in a matrix can be marked by twohexadecimal characters, and it is recorded as MKeyMatrix.

When certain application App_(i) registers in the eID service system,the eID service system distributes an App_ID_(i) and an App_code_(i) tothe application App_(i), and stores it in the database. Hereafter, whenthe application needs to identify the user, the application App_(i)requests the eID service system or identifies the user by itself. Afterthe identification is done, the eID service system generates anApp_eIDCode_(i) and returns it to the application, that is the user'sidentity code on this application App_(i) of the eID user isApp_eIDCode_(i).

The following is the description combining FIG. 2 and FIG. 3 of the keytechnology of the invention:

1. The flow of generating App_eIDCode_(i) for users by the eID servicesystem, can be seen as FIG. 2, the specific steps are as follows:

1) the eID service system sends the application's App_code and user'seID_code₃₂ as a key element to the host security module;

2) receiving the encryption document C₁ of 32 bytes from the hostsecurity module;

3) the eID service system encoded the document C₁ after it is jointedwith 4 bytes App_ID, and generates an App_eIDCode of 48 bytes for theapplication, that is:

App_eIDCode=Base₆₄(C ₁|App_ID)

2. The flow of generates an encryption document by the host securitymodule, can be seen as FIG. 3, the specific steps are as follows:

1) the host security module generates an application master key matrixMKeyMatrix[i,j] of 16×16.

2) the host security module selects randomly from the application masterkey matrix MKeyMatrix[a,b] (wherein i=a, j=b, a and b are naturalnumber) as the application master key after receiving App_code andeID_code₃₂, gets the application encryption key cKey using symmetricencryption algorithm (such as 3DES/SM1/SM4 and so on), that is:

cKey=3DES/SM4(MKeyMatrix[a,b], App_code);

3) according to the application encryption key cKey, the host securitymodule encrypts certain user's eID_code₃₂ using symmetric encryptionalgorithm (such as 3DES/SM1/SM4 and so on), and gets the 32 bytesencryption document C₁ of the user generated on this application, thatis:

C1=3DES/SM1/SM4(cKey, eID_code₃₂);

4) the host security module sends the 32 bytes encryption document C₁ tothe eID service system through a private network.

Besides, the following is the description of how the host securitymodule encrypts the user's eID_code₃₂ using symmetric encryptionalgorithm taking 3DES algorithm for example:

the host security module selects an application master key randomly fromthe application master key matrix, and process derived operation to 16bytes APP_Code using 3DES-128 algorithm, the specific algorithm is:

encrypt the most significant byte of APP_Code using the applicationmaster key as the most significant byte of the application encryptionkey, encrypt the least significant byte of APP_Code using theapplication master key as the least significant byte of the applicationencryption key, then get the application encryption key cKey.

The method to protect electronic Identity information based on keyderived operation faces rely part (that is provider of networkapplication service), it not only can identify and verify accurately theauthenticity and effectiveness of citizens electronic Identity, but alsocan prevent several applications from revealing personal privateinformation caused by active (commercial data exchange) or passive(information be dragged out of a database) account information convergeand data analysis, solve the problems of electronic Identity managementand personal privacy protection under big data environment safely andeffectively. It has the following positive benefits:

1. The application electronic Identity code has anonymity; it will notreveal the electronic Identity code and other personal identityinformation. After being encryption protected with cryptographicalgorithm (3DES/SM1/SM4), users' true identity related information ishided.

2. The application electronic Identity coder has uniqueness, users havedifferent codes on each application, and all users have different codesin each application;

3. The application electronic Identity can resist cryptanalysis, therelated plain text cannot be gotten through cryptanalysis. Also, eachapplication's application electronic Identity generates a key byseparating a master key selected randomly from master key matrix, whichis not the same with each other, each one master key is revealed, thedamage caused can be controlled in a smaller scope.

4. The application electronic coder cannot be connected. As the usershave different codes on each application, even under the condition ofaccount information coverage and data analysis, the cross-applicationconfirmation of users identity cannot be realized neither.

In this specification, the present invention has been described withreference to the specific embodiments. However, obviously modificationsand variations still can be made without departing from the spirit andrange of the invention. Accordingly, the specification and drawings areto be regarded as illustrative rather than restrictive.

I claim:
 1. A method to protect electronic Identity information based onkey derived operation, characterized in that, the method is based on anelectronic Identity server system, the system includes clients, a hostsecurity module and an electronic Identity server, the method comprises:the host security module generates randomly an application master key,encrypts an application derived identifier of an application with theapplication master key, and gets an application encryption key; the hostsecurity module encrypts a user electronic Identity code with theapplication encryption key, and gets an encryption document; the hostsecurity module sends the encryption document to the electronic Identityserver; the electronic Identity server codes the encryption document andan application identity code, and gets an application electronicIdentity code; and the electronic Identity server uses the applicationelectronic Identity code as the user identifier; wherein the encryptingthe application derived identifier with the application master keyfurther comprises-the host security module encrypting a most significantbyte of the application derived identifier with the application masterkey and obtaining a most significant byte of the application encryptionkey, and the host security module encrypting a least significant byte ofthe application derived identifier with the application master key andobtaining a least significant byte of the application encryption key. 2.The method according to claim 1, further comprising the host securitymodule generates an application master key matrix including severalapplication master keys.
 3. The method according to claim 2, wherein thehost security module randomly generates an application master key thatis randomly selected from the application master key matrix.
 4. Themethod according to claim 3, wherein the application master key matrixis a matrix of 16×16.
 5. The method according to claim 1, wherein theencrypting the application derived identifier with the applicationmaster key further comprises the host security module encrypting theapplication derived identifier with the application master key using asymmetric encryption algorithm.
 6. The method according to claim 5,wherein the symmetric encryption algorithm is one of a an SM1 encryptionalgorithm or an SM4 encryption algorithm.
 7. The method according toclaim 1, wherein the host security module encrypts the user electronicIdentity code with the application encryption key, where the applicationencryption key uses a symmetric encryption algorithm.
 8. The methodaccording to claim 7, wherein the symmetric encryption algorithm is oneof an SM1 encryption algorithm or a SM4 encryption algorithm.
 9. Themethod according to claim 1, wherein the electronic Identity servercodes the encryption document and an application identity code; andwherein the electronic Identity server splices the encryption documentand an application identity code, and following the splicing theelectronic Identity server Base64 codes the spliced together encryptiondocument and the application identity code.
 10. The method according toclaim 1, further comprising the electronic Identity server distributingan application identity code and an application derived identifier toeach registered application, and saves the application identity code andthe application derived identifier to a database.
 11. The methodaccording to claim 1, wherein the application derived identifier is abinary identifier of 16 bytes, and the application identity code is anidentifier of 48 bytes.
 12. An electronic Identity server systemcomprising: a host security module configured to generate randomly anapplication master key, encrypt an application derived identifier of anapplication with the application master key, and get an applicationencryption key, encrypt a user electronic Identity code with theapplication encryption key, get an encryption document, and send theencryption document to the electronic Identity server, wherein the hostsecurity module encrypts the application derived identifier with theapplication master key by encrypting a most significant byte of theapplication derived identifier with the application master key andobtaining a most significant byte of the application encryption key andby encrypting a least significant byte of the application derivedidentifier with the application master key and obtaining a leastsignificant byte of the application encryption key; and an electronicIdentity server configured to code the encryption document and anapplication identity code, get an application electronic Identity code,and use the application electronic Identity code as the user identifier.